ush.it - a beautiful place

Skype 1.4.118 for Linux = Panacea

October 7, 2007 at 4:01 pm - Filed under Insecurity, Language EN - 318 words, reading time ~1 minutes - Permalink - Comments

Few moments ago i was reading the Skype 1.4.118 for Linux changelog and noticed a new feature named "Auto-accept file transfers". Damn i thought, if it's by default an issue found accidentally some time ago is now fully weaponized: Skype 1.4.0.74 (probably also others) happily overwrites files without asking!

Any file writable by the user in the save directory, by default $HOME, is susceptible to complete rewrite. This includes your .bashrc, .profile, etc. so there are high chances to gain access/execute automated scripts as the user account on the other side. The lifesaver was some user interaction needed to click on the accept button.

Lucky they were aware of the vulnerability and fixed it (funny note: nobody i spook with was aware of this security issue, just learned from the changelog it was already known) and it's no more possible to overwrite files (it performs like Firefox adding a .1.ext .2.ext to the filename). Additionally the new "Auto-accept file transfers" feature is disabled by default. Malicious contacts are out of luck here.

The complete changelog is at https://developer.skype.com/LinuxSkype/ReleaseNotes and the cited bug is "known issue: There is currently no File Overwrite confirmation dialog" aka "It overwrites without asking".

In the case it's relevant to you when i hit that bug i also swiftly looked for directory traversal bugs but the slash and backslash character were replaced with underscores. I didn't tested for (double, N) encoding, escaping, nulls, etc but you can always give a try :)

A nice news in this field is that the new version supports both drag-n-drop and API file transfers so you are no more limited to what the "Select File" dialog is able to load.

Happy fuzzing!
Francesco `ascii` Ongaro

THP USH Wisec DigitalBullets